# Security The utilities used for managing cryptographic keys, certificates, etc. are stored in the \/app/bin folder (.sh for Linux, .bat for Windows). app/ ├── bin │ ├── certedit.sh │ ├── dbputil.sh │ ├── tokedit.sh The /security folder contains information about security configurations: * /cfg/dstk.ini contains the DSTK (Data Secure Toolkit) configuration.\ The DSTK provides the infrastructure (PKI) and services (via cryptographic libraries) necessary for implementing a modern standards-based public key cryptographic system.\ The default configuration suits all the use cases. Thus, no modification is needed. * /securitystore contains the Token DB, the Password DB, and the Certificates DB configured in dstk.ini. ## Create Token DB During the installation, a new Token Db must be created with the utilities dbputil.sh and tokedit.sh. The path and format of the Token Db are preset in the dstk.ini file via the following properties in the MyToken section: * Cryptosystem: PKCS12.\ Name: \/app/security/securitystore/keystore/token.p12 **DB Password Creation** Before proceeding to create the TokenDB, a password must be created and recorded in the Password Database. Syntax: `dbputil.sh add -p` When requested by dbputil, enter the password interactively. **Token DB Creation** Run the following command: Syntax: `tokedit.sh create -p` When requested by tokedit, enter the password interactively. ## Migration of keys and certificates ### Export from Spazio In Spazio, keys and certificates can be configured in the following files:
.ini fileFile Sections
dstk.ini
  • CDB - Certificates DataBase
  • MyToken - User's personal token information: the database containing the keys can be configured in the property Name of this section. If not specified, the default value is $HOME/.dstk/token.sdb
  • SSL Security Configuration: the database containing the keys used by SSL can be configured in the TokenName property of this section. If not specified, the one configured in MyToken.Name
  • SSH Security Configuration: The TokenName property in this section allows the database containing the keys used by SSH to be configured. If not specified, the one configured in MyToken.Name will be used.
pps.ini
  • global: in the CryptoSysPar property, the database containing the keys can be configured.
ssl.iniAll ProtocolName sections may contain TokenName.
ssh.iniAll ProtocolName sections may contain TokenName.
#### E**xport Keys** The keys are stored in the token database, which can have different formats (sdb, jks, pkcs12). In the configuration files mentioned above, the path to the token database can be specified. Below are the sections and the properties to be checked:
.ini fileSectionProperty
dstk.iniMyTokenName
SSLTokenName
SSHTokenName
pps.iniglobalCryptoSysPar
ssl.ini<Custom Section>TokenNamemay contain several TokenNames in different sections; for example, it could contain several client connections with different Token DB
ssh.ini<Custom Section>TokenNamemay contain several TokenNames in different sections; for example, it could contain several client connections with different Token DB
#### E**xport Utilities** Keys/certificates present in the tokens specified in the configuration files can be exported using the tokedit utility. With tokedit you can export the keys present in the token database set in the ***Name*** property of the ***MyToken*** section of the dstk.ini file with the p12exp command. Syntax: **tokedit P12EXP \ \ \**
ParameterDescription / Value
TYPE

Type of export for PKCS#12.

2: all components present in the token (certificate/public key pairs, CA certificates, private keys and data)

PASSWORDPassword to secure the exported data. If this parameter is omitted, the user will be prompted to enter it. The allowed length range is 8-64 chars. Legal characters are: uppercase A-Z, lowercase a-z, numbers 0-9, period (.), forward slash (/), underscore (_). NOTE: this password is used to encrypt the object being exported. You will then need to import the object again.
FILEOUT

Path name of PKCS#12 file.

NOTE: if the file already exists, it will be rewritten without any additional warning.

To enable correct import in Data Mover Smart, the file name must consist of:

<configuration_file_name>-<section>.p12

E.g. DSTK-SSL.ini (section SSL of DSTK.INI)

With Tokedit, you can also check the list of tokens in the Token DB. Syntax: **tokedit LIST \[objType]**
ParameterDescription / Value
ObjType
(Not mandatory)

To limit the list to one particular type of object, specify one of the following values (either numerical or text values can be used, uppercase or lowercase):

0 or dataList data objects
1 or certificateList X.509 certificates
2 or public_keyList RSA public keys
3 or private_keyList RSA private keys
4 or secret_keyList all object types
5List all object types (default)
0 or dataList data objects
1 or certificateList X.509 certificates
2 or public_keyList RSA public keys
3 or private_keyList RSA private keys
4 or secret_keyList all object types
5List all object types (default)
Find below the steps to be taken to export the keys: 1. Identify all the cryptographic tokens used by the Spazio installation (they may be more than 1 and of different format) 2. For each cryptographic token identified on the Spazio installation execute the tokedit P12EXP command **Example 1** Identified cryptographic tokens:
.ini fileToken DB
dstk.ini[ MyToken] → Name
Action to be performed: 1. Export the keys and certificates in the MyToken section with the tokedit command E.g. TOKEDIT P12EXP 2 dstk-mytoken.p12 Pwd12345 **Example 2** Identified cryptographic tokens:
.ini fileToken DB
dstk.ini

[ MyToken] → Name

[ SSH] → TokenName

Actions to be performed: 1. Export the keys and certificates in the MyToken section with the tokedit command E.g. TOKEDIT P12EXP 2 dstk-mytoken.p12 Pwd12345. 2. Export keys and certificates in the TokenDB of the SSH section: 1. Make a copy of the dstk.ini file. 2. Edit the MyToken section of the dstk.ini file by setting the following values: Name: value of the TokenName of the SSH section CryptoSystem: value of the Cryptosystem of the SSH section 3. Export with the tokedit command E.g. TOKEDIT P12EXP dstk-ssh.p12 Pwd12345 4. Restore the original dstk.ini file. **Example 3** Identified cryptographic tokens:
.ini fileToken DB
dstk.ini[ MyToken] → Name
ssh.ini

[Section1] → TokenName

[Section2] → TokenName

Actions to be performed: 1. Export the keys and certificates in the MyToken section with the tokedit command E.g. TOKEDIT P12EXP 2 dstk-mytoken.p12 Pwd12345 2. Exporting TokenDB keys and certificates in the ssh.ini file 1. Make a copy of the dstk.ini file 2. Export the keys and certificates in the TokenDB in Section1 3. Modify the MyToken section of the dstk.ini file by setting the following values: * Name: value of the TokenName of the Section1 section of the ssh.ini file * CryptoSystem: value of the Cryptosystem of the Section1 section of the ssh.ini file 4. Export with the tokedit command E.g. TOKEDIT P12EXP ssh-section1.p12 Pwd12345 5. Export the keys and certificates in the TokenDB of Section2: re-execute 2.3 and 2.4 replacing Section1 with Section2 6. Restore the original dstk.ini file. #### Export Certificates X.509 public key certificates, SSH keys (Host keys and User keys) must be exported from Spazio and imported into Data Mover Smart. The `BULK_EXPORT` command of the DSTK utility called certedit is used to perform this task. Syntax: `certedit BULK_EXPORT [DB=CA|USR|PKHOST|PKUSR]` Export ALL Certificates, the SSH Host Keys and the SSH User Key from CDB into an external directory. When this command is specified on PKHOST or PKUSR storage, a full OpenSSH public key file is exported.
ParameterMandatoryDescription / Value
DIRNAMEYFull path of directory where the certificates will be exported.
DBNDB=CA|USR|PKHOST|PKUSR
Action is performed against CA-Store, USR-DB, User’s or CA Public Key 'CDBName' configured in the [CDB] Section of dstk.ini.
To export ALL Certificates, the SSH Host Keys and the SSH User Key run the following commands: `certedit BULK_EXPORT ` (export ALL Certificates) `certedit BULK_EXPORT DB=PKUSR` (export SSH User Key) `certedit BULK_EXPORT DB=PKHOST` (export SSH Host Keys) **Example** Below is an example for exporting all certificates in the /home/user/certificates directory `certedit BULK_EXPORT /home/user/certificates` `certedit BULK_EXPORT /home/user/certificates DB=PKUSR` `certedit BULK_EXPORT /home/user/certificates DB=PKHOST` ### Import into Data Mover Smart In Data Mover Smart there is a single Token DB for the storage of keys. #### Import Key In p12 files, keys can be imported with the import-p12 command of tokedit.sh (tokenedit.bat for Windows). Syntax: `tokedit.sh import-p12 [command options]`
Command optionDescription / Value
--pwd, -pThe password to access the p12 file.
-in, -iThe path of the P12 input file
**Example** To import dstk-mytoken.p12 exported with password Pwd12345, use this command: `./tokedit.sh import-p12 –i dstk-mytoken.p12 -p Pwd12345` {% hint style="danger" %} **Warning!** If there are 2 labels with the same name in several p12 files, importing the second file generates an error. In this case, the labels must be renamed with the rename command of the tokedit utility. {% endhint %} Syntax: `tokedit.sh rename [command options]`
Command optionDescription / Value
--label, -lThe old entry label
--new-labelThe new entry label
Since the token database labels set in the **Name** property of the **MyToken** section of the dstk.ini file can be renamed with tokedit, the following operations must be performed: 1. Make a copy of the dstk.ini file. 2. Set Name of section MyToken \[MyToken] ... Name=\/dstk-ssh.p12 3. Rename label tokedit.sh rename –l label1 --new-label label1-new 4. Restore the original dstk.ini file. After renaming, the p12 file can be imported. #### Import Certificate You can import X.509 public key certificates, SSH keys (Host keys and User keys) into a directory with the bulk\_import command of the certedit.sh file (certedit.bat for Windows). Syntax: `certedit.sh bulk_import [command options]`
Command optionMandatoryDescription / Value
--in, -iYPath of directory containing files to import.
--db, -dNDatabase to query. Accepted values are: "ca", "usr", "pkhost", "pkusr", "rev", and "pgp". Default [ca]
--format, -fN

File format. Accepted values are:

0 for DER, 1 for PEM, 7 for PKCS#7 PEM, 9 for automatic encoding detection, 10 for OpenSSH public key file, 11 for Secure SHell (SSH) Public Key File, 13 for PGP/GPG Binary or ASCII Armor format.

When operating on PGP, it is optional to specify the format since only format 13 is allowed.

To import ALL Certificates, the SSH Host Keys and the SSH User Key run the following commands: `./certedit.sh bulk_import –i ` (import ALL Certificates) `./certedit.sh bulk_import –i -d pkhost –f 9` (import SSH Host Keys) `./certedit.sh bulk_import –i -d pkusr –f 9` (import SSH User Keys) **Example** Find below an example for importing all certificates from /home/user/certificates directory: `./certedit.sh bulk_import –i /home/user/certificates` `./certedit.sh bulk_import –i /home/user/certificates -d pkhost –f 9` `./certedit.sh bulk_import –i /home/user/certificates -d pkusr –f 9` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.primeur.com/data-mover-smart/security-utilities/security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.